Just when you thought Uber had hit rock-bottom and was on its way back up…

In a somewhat stunning – even for Uber – series of events, Bloomberg reports that the ride-hailing service concealed a massive cyberattack – in which hackers stole personal data from 57 million customers – for more than a year… and paid the hackers $100,000 to keep quiet about the cyberattack.

This week, the ride-hailing company ousted Joe Sullivan, chief security officer, and one of his deputies for their roles in keeping the hack under wraps.

Compromised data from the October 2016 attack included names, email addresses and phone numbers of over 50 million Uber riders around the world, the company told Bloomberg on Tuesday.

The personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver’s license numbers.

“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement.
“We are changing the way we do business.”

Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said.

Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data.

Kalanick declined to comment on the hack.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said in the emailed statement.

The company plans to release a statement to customers saying it has seen “no evidence of fraud or misuse tied to the incident.” Uber said it will provide drivers whose licenses were compromised with free credit protection monitoring and identity theft protection.